Brazilian payment malware may have skimmed up to $4 billion

Banking malware built to misdirect a Brazilian form of bank payment method targeted $3.75 billion of transactions over the past two years – and the scale of the attack may have eclipsed any single previous instance of electronic theft, according to the New York Times.

The attacks targeted Boleto Bancario – known as Boletos – a payment method popular in Brazil which allowed customers to pay bills from electricity to mortgages using bills issued online payable via banks and supermarkets. The Register reports that 18% of bills paid in Brazil are via Boletos.

Cybercriminals targeted these transactions with “man in the browser” malware, according to RSA, which simply substituted the legitimate account numbers of the payees with the account numbers of criminals or “money mules”, paid by gangs to transfer money on to the criminals.

Half a million transactions

RSA researchers found that a gang had access to 122,227 remote-controlled infected PC, and used access to these “bots” to intercept nearly half a million Boleto transactions.

“While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $$3.75 billion,” RSA said in a blog post this week.

“The Boleto malware is a newer and more sophisticated kind of fraud in Brazil that leverages man-in-the-browser technology to attack online operations, and is based on transaction modification on the client side.”

Victims unaware until too late

The payments are popular in Brazil because they do not require a bank account. For cybercriminals, the appeal was simple, according to ZDNet’s report: the transactions cannot be reversed once put in place.

Malware targeting boleto transactions is known as ‘bolware’, according to veteran security researcher Brian Krebs’ report. Typical attacks target the computers of those issuing ‘boletos’, with “man in the browser” malware waiting until a boleto is issued, then substituting the account numbers of a gang member or mule.

By the time the owner of the hacked PC is aware that the payment has not appeared, it is too late to reclaim the money.

While the payments targeted were low-value amounts, the sheer number of transactions intercepted – up to 495,000 – meant that gangs could earn huge amounts of money over a short period.